Skip to main content

Trust Center

Security, compliance, and data protection are foundational to Fleece AI. We build trust through transparency, rigorous controls, and continuous improvement.

Compliance & Certifications

SOC 2 Type II

In Progress

Service Organization Control 2 — Trust Service Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

ISO 27001:2022

Planned

International standard for Information Security Management Systems (ISMS). Covers risk assessment, access control, cryptography, and business continuity.

GDPR

Compliant

European General Data Protection Regulation. Full compliance with data subject rights, lawful processing, and cross-border transfer safeguards.

CCPA

Compliant

California Consumer Privacy Act. Supports right to know, right to delete, and right to opt-out of data sales.

Security Controls

Data Encryption3 controls
  • TLS 1.3 in transit
  • AES-256 at rest (Neon)
  • SHA-256 API key hashing
Access Control5 controls
  • OAuth 2.0 (4 providers)
  • JWT sessions
  • API key auth with expiry
  • Role-based plan gating
  • CRON_SECRET for scheduled jobs
Monitoring & Logging4 controls
  • Immutable audit logs (SOC 2 CC7)
  • 25+ audited event types
  • Health check endpoint (SOC 2 A1)
  • Rate limit tracking
Application Security5 controls
  • Content Security Policy (CSP)
  • HSTS (2 years, preload)
  • X-Frame-Options: SAMEORIGIN
  • Rate limiting on all API routes
  • Parameterized queries (SQL injection safe)
Privacy & Consent5 controls
  • GDPR data export (Article 20)
  • Right to deletion (cascade)
  • Cookie consent (opt-in analytics)
  • GA4 consent mode (denied by default)
  • RFC 8058 email unsubscribe
Infrastructure4 controls
  • Vercel edge network (global CDN)
  • Neon serverless PostgreSQL (auto-failover)
  • Stripe PCI DSS Level 1
  • No secrets in codebase

Compliance Documents

Privacy PolicyTerms of ServiceData Processing Agreement (DPA)Sub-processor ListSecurity Practicessecurity.txt (RFC 9116)

Data Residency & Transfers

Primary application data is stored in Neon PostgreSQL (AWS us-east-1, United States). All data at rest is encrypted with AES-256.

Application hosting is provided by Vercel with a global CDN edge network. Static assets are cached at edge locations worldwide, but dynamic data processing occurs in the US-East region.

For EU data subjects, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission for any data transfers outside the EEA. All our sub-processors maintain equivalent data protection standards.

Incident Response

We maintain a structured incident response procedure aligned with SOC 2 CC7 and GDPR Article 33/34 requirements:

  1. DetectionAutomated monitoring, audit log anomaly detection, and user reports.
  2. ClassificationSeverity assessment (P1-P4) based on data impact, scope, and regulatory implications.
  3. ContainmentImmediate isolation of affected systems, credential rotation, access revocation.
  4. NotificationAffected data subjects and supervisory authorities notified within 72 hours as required by GDPR Article 33.
  5. Remediation & Post-mortemRoot cause analysis, corrective actions, process improvements documented and tracked.

Security Contact

For security inquiries, vulnerability reports, or compliance requests, contact us at contact@fleeceai.app